Connect2id server 19.3

25 September 2025

This Connect2id server release updates OpenID Federation support for deployments that require compliance with the Finnish Trust Network (FTN) profile (213/2023 S). The significant change is enabling the Connect2id server to be set up as a federated OpenID provider that acts as its own trust anchor. The federation-specific automatic and explicit client registration methods are disabled. Instead, FTN OpenID providers are expected to validate the trust chains of federated entities in a separate administrative process and register the validated clients at the standard OAuth 2.0 / OpenID Connect clients endpoint. The OpenID Federation 1.0 guide is updated to explain how to use the Connect2id server with the FTN profile.

This release also ships a number of updates for Connect2id server deployments that support a CIBA flow for cross-device authentication of users, transaction consent and approval, etc. In particular, the default CIBA plugin now has a message structure that makes it easier for a backend service to understand the structure of the requested OpenID claims, such as names and other personal information. This was done by replicating the structure established by the web API for handling brower-based OAuth 2.0 flows.

Details about the new release can be found in the notes below.

Download 19.3

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 19.3: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: a509073b33ebc5438d4de0caba73aaf9986f1f14317910e41390b645dc674c61

Connect2id server 19.3 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: 6f61ac28e71ea2bb89ceb5851a6606bd03e1eeac43a4976ddebd934edfbe0766

Multi-tenant edition

Apache Tomcat package with Connect2id server 19.3: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: a509073b33ebc5438d4de0caba73aaf9986f1f14317910e41390b645dc674c61

Connect2id server 19.3 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: 8e3feeab0c209721f2d9a5c92089606635ec33b3c08e8b7ddb9aad63fdd6ed09

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

19.3 (2025-09-22)

Summary

Supports deployments of the Connect2id server as an OpenID Federation 1.0 entity of type openid_provider with no trust anchor / authority hints. In addition to that, the automatic and explicit client registration types specified in OpenID Federation 1.0 are now made optional, to enable federated deployments where clients will be registered manually by an administrator, by validating the client trust chain separately from the Connect2id server and then using the standard/clients endpoint to register the client as a regular OAuth 2.0 client / OpenID relying party.
Updates the /ciba-sessions/rest/v1/queue/poll web API resource of the default CIBA request queue plugin to format the requested scope, claims and custom CIBA request parameters in identical manner to the consent prompt of the authorisation session web API (/authz-sessions/rest/v3/).

Configuration

/WEB-INF/oidcProvider.properties
- op.federation.clientRegistrationTypes – Makes the configuration property optional. The default value becomes no enabled OpenID Federation 1.0 client registration types. This change is made to support Connect2id server deployments with federated clients that don’t support the automatic or explicit registration types specified in OpenID Federation 1.0, and instead will use manual registration, for example by an administrator performing the tasks of validating the client trust chain and registering the client at the standard protected /clients endpoint.
- op.federation.trustAnchors.* – Makes the configuration property optional. The default value is no OpenID Federation 1.0 trust anchor. This change is made to support Connect2id server deployments that act as a trust anchor.
- op.federation.authorityHints.* – Makes the configuration property optional. The default value is no OpenID Federation 1.0 authority hints. This change is made to support Connect2id server deployments that act as a trust anchor.
/WEB-INF/cibaRequestQueue.properties
- op.ciba.requestQueue.requestParams – Adds claims_locales to the list of default CIBA request parameters to include in the queued messages.

Web API

/ciba-sessions/rest/v1
- The queue/poll resource of the default CIBA request queue plugin changes the formatting of the scope, claims and custom CIBA request parameters to match the formatting of the consent prompt in the authorisation session web API for handling browser-based OAuth 2.0 flows.
  - The scope parameter is formatted as a JSON object with members:
    - new – String array of the newly requested scope values, empty if none. Since the plugin does not yet check for existing end-user consent this array contains all requested scope values.
    - consented – String array of the requested scope values for which end-user consent exists on record. Since the plugin does
      not yet check for existing consent this array is always empty.
  - The claims parameter is formatted as a JSON object with members:
    - new – JSON object for the newly requested OpenID claims. Since the plugin does not yet check for existing end-user consent the union of the member arrays contain all requested claims.
      - essential – String array of the requested essential claims, empty if none.
      - voluntary – String array of the requested voluntary claims, empty if none.
    - consented – JSON object for OpenID claims for which end-user consent exists on record. Since the plugin does not yet check for existing consent the member arrays are always empty.
      - essential – String array of the requested essential claims, empty if none.
      - voluntary – String array of the requested voluntary claims, empty if none.
    - locales – String array of the requested claims locales as BCP 47 language tags, omitted if none.
    - verification – JSON object if Identity Assurance is enabled, with members:
      - id_token – JSON object with the optional requested verification for claims returned in the ID token.
      - userinfo – JSON object with the optional requested verification for claims returned at the UserInfo endpoint.
    - purposes – JSON object specifying the invidividual purposes for each requested claim, as claim name / purpose string pairs, omitted if not specified. To prevent injection attacks all special characters in a purpose string must be escaped before being shown in a user interface.

Resolved issues

The scope and claims CIBA request parameters returned by the /ciba-sessions/rest/v1/queue/poll resource of the default CIBA request queue plugin should be formatted as in the consent prompt of the authorisation session API for browser-based OAuth 2.0 flows (issue server / 1093).
Custom CIBA request parameters returned by the /ciba-sessions/rest/v1/queue/poll resource of the default CIBA request queue plugin should be formatted as in the consent prompt of the authorisation session API for browser-based OAuth 2.0 flows (issue server / 1094).
The default CIBA request queue plugin must expand scope values that map to OpenID claims (issue server / 1119).
Support claims_locales as CIBA request parameter (issue server / 1120).
The scope client metadata parameter must be used to filter the allowed scope values in CIBA requests made by the client. Any scope values that are not registered in the client metadata must be automatically removed from the CIBA request before passing it on to the CIBA request handler SPI. If the client is registered without a scope metadata parameter the scope values in its CIBA requests must not be subjected to filtering (issue server / 1114).
The tls_client_certificate_bound_access_tokens client metadata parameter must be enforced only at the token endpoint, not at the PAR and CIBA endpoints (issue server/1121).

Dependency changes

Updates to com.nimbusds:oauth2-oidc-sdk:11.29.1